1. Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi 1

2.  Two Information Coding Schemes  RSA Algorithm  Privacy  Authenticity  Reed-Solomon Codes  (Bursty) Noise Tolerance 2

3. 3

4. 4

5. 5 Trinity? Yes, it’s me.

6.  Encrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc…)  Requires prior agreement on a shared key over a secure channel  What if Neo and Trinity have yet to meet? 6

7.  Mathematically-related public/private key pairs are generated  Messages encrypted with public key  Can only be decrypted with private key  Infeasible to compute private key from public key alone  No need to agree on a shared key! 7

8.  Rivest, Shamir and Adleman (1977)  Based on difficulty of computing prime factors of large integers 8

9. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 9 Setup Usage

10. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 10

11.  Let e, d, n be integers with n ≠ 0  Fact: If gcd(e, n) = 1 (i.e. e and n are coprime) then there exists d such that de ≡ 1 (mod n)  In other words, the multiplicative inverse of e (mod n) exists when gcd(e, n) = 1 11

12. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 12

13. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 13

14.  Definition: no. of integers 1 ≤ a ≤ n with gcd(a, n) = 1  Formula:  For n = pq where p and q are primes 14

15.  Let x, y, m, n be integers with n ≥ 0  Fact: If x ≡ y (mod ɸ (n)), then m x ≡ m y (mod n)  In other words, working in mod n requires that we work mod ɸ (n) in the exponent 15

16. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 16

17. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 17 (M e ) d ≡ M (mod n) and (M d ) e ≡ M (mod n)

18. 1. Pick p = 37 and q = 43 2. Compute n = 1591 and ɸ (n) = 1512 3. Pick e = 71 gcd(e, ɸ (n)) = gcd(71, 1512) = 1 4. Compute d = 575 (Extended Euclidean Algorithm) de = 40825 ≡ 1 (mod 1512) 5. Public key is (n, e), private key is (n, d) 6. Encrypt: C ≡ M e ≡ 1234 71 ≡ 908 (mod 1591) 7. Decrypt: M ≡ C d ≡ 908 575 ≡ 1234 (mod 1591) 18

19. 1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Sign M with S ≡ M d (mod n) ; Send (M, S) 7. Verify that M ≡ S e (mod n) 19 Reversed! Sign with private key Verify with public key

20. 1. Modular exponentiation ▪ Successive-Squaring 2. Computing d from e and ɸ (n) ▪ Extended Euclidean Algorithm 3. Finding large primes 20

21.  Successive-Squaring to Compute C ≡ M e (mod n) Let e = e k e k–1 … e 0 (binary representation of e) C := 1 For i := k, k – 1, …, 0 C := (C * C) mod n If e i = 1 Then C := (C * M) mod n End For  Performance: O(log e)  Memory: O(1) 21

22.  Extended Euclidean Algorithm:  Since e and ɸ (n) are coprime, solving yields d = y satisfying 22 Find max. q i satisfyingand x i and y i satisfying When r k = 0, stop and output gcd(a, b) = r k-1 and x = x k-1 and y = y k-1 Similar to Euclidean Algorithm for gcd(a, b), but retain quotients q i at each step i to compute x i and y i

23.  Generate a large random integer  Apply primal test repeatedly  Primality Tests:  Miller-Rabin  Solovay-Strassen  Fermat Primality Test  Euler Witness, Euler Liar 23

24. 24

25. 25

26. 26

27. 27

28. 28

29. 29

30. 30

31. 31

32. 32

33. 33

34. 34

35. 35

36. 36

37. 37

38. 38

39. 39 ???

40. 40

41. Noise is Natural Studied models in general  Binary Symmetric Channel  Binary Erasure Channel  Noisy Typewriter Channel  Continuous Output Channel … 41

42. 42

43. 43 MC 00000 01001 10010 11011 100 101 110 111

44. 44

45. 45

46. 46 MC 00000 01001 10010 11011 100 101 110 111 No Structure?? Have to store the whole mapping in a codebook

47. 47 G = n x k, where n =7, k=4 for example, Hamming Code is Linear =

48. 48

49.  Applications: CDs, Space Communication, …  Robust against Burst errors 49 From left: Gustave Solomon & Irving S. Reed

50. 50

51. 51

52. 52

53. 53

54. 54

55. 55

56.  A set of elements with two operations “Addition” and “Multiplication” defined on these elements.  Closed under these two operations  Basically all arithmetic operations are allowed Examples: Set of Real numbers, Set of Rational numbers… 56

57.  A field with finite number of elements. Example: {0,1} with modulo operations In general {0,1,2….p-1} is a field with p elements with modulo operations. (p is prime) How to construct fields with 8 elements? In general how to construct p r elements?? 57

58.  A field with 2 m elements can be constructed by extending the field GF(2) which is {0,1}.  Let α denotes an additional element in GF(2 m ).  Now GF(2 m ) ={ 0,1, α,α 2,….. α 2 m -1, α 2 m,…}  To make the number of elements 2 m, we restrict α 2 m -1 = 1 = α 0 58

59. GF(2 m )={0, α 0, α,…… α 2 m -2 }  Any non-zero element in GF(2 m ) can be written as a polynomial of degree at most m-1.  Coefficients are from GF(2)  Also they can be mapped to binary values. 59

60.  An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides x n +1 is n=2 m -1.  Example: 1 + x + x 4 because it divides x n +1 for n=15 and not for other values less than 15.  Used for construction GF(2 m )  RS codes use GF(2 m ). 60

61. 61

62. 62

63. 63

64.  Linear Code  Cyclic  d = n-k+1 (Maximum Distance Separable)  Can correct up to n-k erasures  Can correct up to (n-k)/2 symbol errors 64

65.  This form of encoding is not in Systematic form  Systematic form : Parity symbols message symbols  010 110 111 100 001 011 101 010 110 111  Message polynomial α + α 3 x + α 5 x 2  Code Polynomial α 0 + α 2 x + α 4 x 2 + α 6 x 3 + αx 4 + α 3 x 5 + α 5 x 6  A generator polynomial g(x) is defined as g(x) = (x-α) (x-α 2 ) …………… (x-α 2t ) 65

66.  Shift the message polynomial m(x) by 2t positions by multiplying m(x) by x 2t.  Define p(x) = x 2t m(x) (mod g(x))  The final codeword polynomial u(x) is u(x) = p(x) + x 2t m(x) 66

67.  Message polynomial α + α 3 x + α 5 x 2  Yielding αx 4 + α 3 x 5 + α 5 x 6 after multiplication with x 2t i.e. x 4  Take g(x) = (x- α)(x- α 2 )(x- α 3 )(x- α 4 ) = x 4 – α 3 x 3 + α 0 x 2 – αx + α 3 = α 3 + αx + α 0 x 2 + α 3 x 3 +x 4 Next divide α x 4 + α 3 x 5 + α 5 x 6 by g(x) to find the remainder p(x) = α 0 + α 2 x 4 + α 4 x 2 + α 6 x 3. Now u(x)=α 0 + α 2 x + α 4 x 2 + α 6 x 3 + αx 4 + α 3 x 5 + α 5 x 6 67

68.  The syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.  The syndromes are basically evaluations of the received polynomial r(x) at α, α 2, α 3,… α 2t. S i = r(α i ), i=1,2,….2t  If r(x) is a valid codeword then we get all the S i evaluate to zero.  Any non-zero S i indicates the presence of errors. 68

69.  The errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2 m ).  Hence r(x) = u(x) + e(x).  The problem finding e(x) from r(x) (or the syndromes) is decoding. 69

70.  Given any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).  If at most ‘t’ of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.  Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial. 70

71.  Error polynomial e(x) = e 0 + e 1 x +….e n x n  Suppose the received polynomial r(x) has ν errors in it at the locations i 1,i 2,…i ν. The magnitude of error at these locations are e i j.  Then syndromes can be written in the form Sj = e 1 j x l j + e 2 j x l j + ….+e ν j x l j j=1,2,…2t where X l = α il 71

72. 72

73. 1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 73

74. 74 Non- Linear System!! Finding S j for j = 1 to 2t

75. 75  Intuition: The roots of this polynomial are inverses of the error locations  Help to find the locations where an error has occurred Expanding Λ(x):

76. 76 For x = X l -1 and for any 1 ≤ l ≤ ν Multiplying throughout by Y l X l (j+ν)

77. 77 Sum over l = 1 to t

78. 78  Equation (1) – (4) now form a system of Linear Equations

79. 79  Solved for Λ i s by finding the largest value of ν for which M ν is non-singular starting from ν = t  Overall this algorithms runs in polynomial time  ν ≤ t; 2t = n – k = O(n) (could also be O(1) for large n & k)  Use polynomial-time algorithms for matrix determinants and inversion

80. 80

81. 81 For i ≥ ν, Y i X i = 0  The Middle matrix is singular  M μ is singular

82. 1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 82

83.  Find roots of Error Locator Polynomial, Λ(x), by exhaustive search  Evaluate Λ(α i ) for i = 1, 2, …, 2t  Find all i where Λ(α i ) = 0  α i is a root of Λ(x)  Error locations will also be of the form: α j  Here, α j = α -1 and j = 2t – i.  If number of errors found is ≥ t, abort process 83

84. 84

85.  Number of iterations = O(n)  Linear time algo  Correctness of Chien Search:  Viewing Λ(x) as a polynomial over a finite field 85

86. 1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 86

87. 87 Convert to matrix form Vandermonde Matrix

88. 88  Defining the Syndrome polynomial:  Defining the Error Evaluator polynomial: where, b is the degree of the smallest root of the generating function of the code &

89.  Computing coefficients of Ω(x) takes ≈ ν 2 /2 multiplications  Computing each Y i takes 2ν+1 multiplications and one reciprocal  Total computation time needed ≈ 2.5ν 2 multiplications  ν = O(n)  Operations needed O(n 2 )  Polynomial Time algorithm 89

90. 1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 90

91.  r(x) = u(x) + e(x)  Decoding techniques help determine e(x) completely  Hence, u(x) = r(x) – e(x) = Message sent is recovered 91 We are done!!

92.  Other more efficient (implementation wise) algorithms for decoding:  Berlekamp-Massey Decoder (LFSR and iterative correction)  Euclidean Algorithm (Values and locations simultaneously determined using iterative GCD of polynomials)  Decoders implemented as dedicated chips by manufacturers (Hardware and Software) 92

93. RSA: 1. Evgeny Milanov, RSA algorithm, http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdf http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdf 2. Kenneth Rose, Elementary Number Theory and its applications, 5 th Ed., Pearson International 3. Trappe & Washington, Introduction to Cryptography with Coding Theory, 2 nd Ed., Pearson International Reed-Solomon Codes: 1. Bernard Sklar, Reed Solomon error correction, http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed- solomon/elementLinks/art_sklar7_reed-solomon.pdf http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed- solomon/elementLinks/art_sklar7_reed-solomon.pdf 2. V. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/ http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/ 3. John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdf http://www.stanford.edu/class/ee387/handouts/notes7.pdf 4. Wikipedia 93

94. Thanks for your attention!! 94